Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Ignored Data Breach Alarms
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/11/2018 | 4:54:43 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/11/2018 | 4:54:11 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/24/2014 | 3:19:56 PM
Re: Deactivation of FireEye's Automatic Response
It certainly does.  My last employer has been using it since ~2004/5 -- before McAfee bought Solidcore.  Back then the employer was flagged for not having virus protection on their POS systems.  We had to constantly ask for a compensating control.  That left me with a poor impression of the PCI rules and those who conducted the audits.  It's similar when calling a support line that isn't staffed by trained and experienced resources.  They cannot truly understand problems.  They can only read a script and follow a yes/no logic tree.
Duke_Bauer
50%
50%
Duke_Bauer,
User Rank: Apprentice
3/24/2014 | 12:03:15 PM
Re: Deactivation of FireEye's Automatic Response
I believe this solution exists (McAfee Solidcore)
pfretty
50%
50%
pfretty,
User Rank: Apprentice
3/19/2014 | 4:04:28 PM
Happens far too often
Unfortunate, but the fact that they ignored the warning signs isn't a surprise. There is a dramatic need for a shift in culture. One would think the cost alone would be enough. On average attacks cost companies $11.6 million according to the 2013 HP Ponemon Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013).

Peter Fretty (j.mp/pfrettyhp)
rradina
50%
50%
rradina,
User Rank: Apprentice
3/18/2014 | 11:54:26 AM
Re: Deactivation of FireEye's Automatic Response
Locking them down assumes an OS security exploit was not used to install the malware.  I think it's been established Target's POS uses Windows.  I'll even go further and make an assumption that it's probably XP.

I'm not aware of any XP built-in solution to prevent a security hole being exploited to install malware.  If it's a remote attack vector, it'll typically involve a network service of some kind.  Most services generally have escalated privileges and if compromised, the hacker can almost always use them to gain root access.  

What Windows needs is a helper that monitors via read/write hooks and compares all file-system changes on system/software components with a dictionary made on the original system's image.  If anything is found out of spec, an alert is issued and the processes that use the corrupt image are terminated.  Further, such a helper also needs to scan DLLs and applications IN MEMORY to make sure they too are appropriate.  If not, the processes are terminated.  If an new process begins that's tied to an executable that's not part of the original image, it's terminated before it even finishes loading into memory.

Such products exist for XP and had they been using them, it would have been really tough to infect their POS systems even if a USB thumb drive was inserted.  Hackers would first have to figure out how to disable that software before exploiting the system.  Unfortunately this would require hacking the system so the protection mechanism can be hacked.  It's a chicken and egg scenario.  Certainly not foolproof but arguably difficult enough to perhaps convince them a company using such protection is not low hanging fruit.
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
3/18/2014 | 8:43:30 AM
Re: Deactivation of FireEye's Automatic Response
You would think that the POS terminals would be locked down as tightly as possible.  It's not like your cashiers should be installing anything on them but not knowing all the details it is possible that the application used the name of a Windows service or application.  
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
3/17/2014 | 7:16:26 PM
unacceptable
It just keeps getting worse for Target. To now know they had the systems in place that could have stopped this breach if they just used the system correctly is unacceptable. This just goes to show you that the best systems are rendered useless id people don't use them correctly.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/17/2014 | 5:33:00 PM
Re: Deactivation of FireEye's Automatic Response
They should respond manually.  If the product constantly cries wolf, either the alert config needs review or the product needs to be replaced.  If that's not an option then they should push the alerts to Splunk and mine the noise for credible events that correlate with other intrusion events (assumes firewalls and other stuff are pushed to Splunk).  My point was automated responses might be tolerated for devices that aren't customer facing but you do not want call center devices, bank ATMs or POS systems downed by a false alarm that automatically removes a vital component.

As a side note, I still don't understand why a POS system could have ANYTHING new installed on it outside of planned events.  They shoud use white list protection or an OS that won't run unsigned apps (like IOS, Android or Windows RT).
hho927
50%
50%
hho927,
User Rank: Guru
3/17/2014 | 2:25:10 PM
Block botnets
Target IT dept fail many ways. 1) If Target blocked all connections to botnet centers, the malware could not send data out. 2) The HVAC vendor said they didn't monitor Target remotely, why did Target give them a corp/network account? 3) Target should not give that account full access to the POS. 4) Security,access auditing was ignored. 5) Ignored alarms. 6) POS should have a seperate network. Target tried to save money here.
Page 1 / 3   >   >>


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...